Virtual Private Networks: Technologies and Solutions

The Internet has been around in one form or anotherfor more than three decades now, but it really has been since the middleof the 1990s that the use of the Internet became a daily part of people'slives. Connectivity to the Internet is now imperative for almost all companies,regardless of what their business really is. Individuals can find Internetaccess at school, work, and home, in cafés and kiosks, and in cellphones and PDAs. Staying connected has become an obsession.\ The focus has shifted from being connected to being securelyconnected. It is one thing to have Internet access, but without security,the usefulness of the connectivity is rather limited. People want to havethe reach of the Internet, but they should not have to compromise theirprivacy or expose proprietary resources.\ Fortunately, all of the ingredients are present for constructinga private network on top of a public one. The challenge comes in puttingthe technologies together so that the result is a viable and secure virtualprivate network.\ This book provides a comprehensive guide to the technologiesused to enable VPNs, the VPN products built from these technologies, andthe combinations of various components to provide practical VPN solutions.\ VPN technologies and solutions are still rapidly evolving.This book describes the current state of the art in this field. But thingschange quickly, so when appropriate, we have attempted to point out thecontinued effort in the industry to develop new technologies and solutions.Audience\ This book is intended for a broad range of readers interestedin virtual private networks.\ For network engineers and managers, this book serves asa practical guide to thetechnologies and solutions. It discusses issuesto be considered in designing and implementing a VPN.\ For VPN software and hardware developers, it provides the necessary background material to understand the functions to be developed and the rationale behind them.\ For IT managers and executives, this book sets the overallcontext of VPNs and provides the means for assessing various implementationsfrom equipment vendors and service offerings from service providers.\ For students and educators, this book can be used as areference text for a course in network security or electronic commerce.Book Organization\ This book is organized in three parts. Part I—VPN Fundamentals—consistsof three chapters: Introduction, Basic Concepts, and VPN Architectures.Chapter 1 introduces the concept of VPN and how it permits flexibilityin facilitating private communication in a public network. We also classifythe relevant technologies into four distinct categories. Chapter 2 setsVPNs in context by briefly reviewing the development of the Internet andhow security has been thrust to the forefront. It also reviews the basicIP networking and cryptography concepts that pertain to VPNs. Chapter 3presents VPN architectures in two ways. The first approach is based ondesigning VPN around practical networking solutions: site-to-site intranet,extranet, and remote access. The second approach focuses on the differenttraffic aggregation points where security services are applied.\ Part II—VPN Technologies—consists of five chapters:Tunnels, IPsec, Authentication, Public Key Infrastructure, and Access Control.Chapter 4 is concerned with the most important technology category—tunneling.We investigate the many different tunneling technologies that are importantin VPN solutions. Chapter 5 concentrates on IPsec, the security protocolfor IP standardized by the IETF and, in our opinion, the VPN tunnelingtechnology that will be most prevalent going forward. Chapter 6 describesauthentication in a broad context first and then describes the varioustwo-party and three-party schemes that widely applied in networking. Themost important three-party scheme—PKI—is then presented in Chapter 7.In Chapter 8, we look at access control technologies, an often overlookedbut vital aspect of VPNs. We describe how access policies can be presented,managed, and enforced in a networked environment.\ Part III—VPN Solutions—consists of four chapters: VPNGateways, VPN Clients, VPN Network and Service Management, and VPN Directions:Beyond Connectivity. This part describes how the various technology componentscan be assembled to create practical VPN solutions. Chapter 9 starts withthe roles played by a VPN gateway, then derives the requirements imposedon the gateway, and finally describes the various functions that shouldbe implemented. It also presents a concrete design example. Chapter 10details the many issues of VPN clients, some similar to VPN gateways andsome different. Chapter 11 presents the needs and approaches for performingcontinued management of VPNs from the viewpoints of both a network anda service. Finally, we discuss the future directions of VPNs in Chapter12 and how important it is to realize that networking is the means, notthe goal, and to look beyond simple connectivity in the networking arena.How to Read the Book\ There are two ways to read this book. For novices, werecommend completing Part I before proceeding to either Part II or PartIII. For readers already knowledgeable in networking and security, eachchapter is self-contained and can be read separately.\ Readers are encouraged to read Chapters 4 and 5 togetherto obtain a fuller grasp on the concept of tunneling and IPsec as a layer-threetunneling technology. Similarly, Chapters 6 and 7 deal with authentication,with Chapter 7 exploring public key infrastructures in detail. It is alsoa good idea to review how a certain technology is introduced in Part IIbefore seeing how it is applied to a VPN solution in Part III.\ Ruixi Yuan\ Tim Strayer\ Boston, Massachusetts\ March 2001

PrefacePt. IVPN Fundamentals1Ch. 1Introduction3Ch. 2Basic Concepts23Ch. 3VPN Architectures45Pt. IIVPN Technologies55Ch. 4Tunnels57Ch. 5IPsec75Ch. 6Authentication103Ch. 7Public Key Infrastructure129Ch. 8Access Control155Pt. IIIVPN Solutions173Ch. 9VPN Gateways175Ch. 10VPN Clients215Ch. 11VPN Network and Service Management245Ch. 12VPN Directions: Beyond Connectivity269Acronyms283References289Index303

\ Daniel M. St. AndreAs you stroll the book aisles, Virtual Private Networks: Technologies and Solutions, by Ruixi Yuan and W. Timothy Strayer, might lead you to grab for a VPN-How-To volume. After all, isn't every organization going to need VPNs if they haven't got them already? \ Early in Chapter 1 the authors state "Virtual private networking is the collection of technologies applied to a public network -- the Internet -- to provide solutions for private networking needs." That said, they go on to deliver page after page of what could have been dry and tedious protocols and bitmaps in a style that I found fun to read. Consider:\ "The essence of creating a VPN is to assemble the technological components according to a cohesive architecture in order to create practical solutions for organizational communications needs. These components make possible both the 'virtual' and the 'private' aspects of a VPN."\ "Part I: VPN Fundamentals" is a must read for anyone with any involvement with contemporary networks and their security. Yuan and Strayer present topic by topic and layer by layer in a systematic manner. There is a consistent flow from situation, through candidate approaches and available protocols, to implementation. At no time do they coerce you into a conclusion. Instead, after reading each section, I found some approach obviously better than others. Later reading would reveal that I had chosen the approach that the authors preferred.\ Even for those who simply use their computer from their homes or from the enclosure of their workplace surroundings, this book explains much of what happens behind the scenes to connect the several distributed offices and facilities of a modern organization.\ Each of the chapters in "Part II: VPN Technologies" covers frame and packet level details of topics such as Tunnels, IPsec, Authentication, Public Key Infrastructure, and Access Control. as separate chapters. The authors begin by discussing the concept of network Tunnels independently from how they might be implemented. This lays a foundation for the several issues that must be resolved while deciding tunnel deployment configuration. While there are several alternatives, Yuan and Strayer make clear their preference for IPsec to enable delivery of network layer security services. They devote an entire chapter to the IPsec topic. Given a secure method to make connections, a network must be able to Authenticate connection requests -- is the requester who they claim to be? -- and the Public Key services available to carry the various forms of authentication information. Once the requested connection exists, a network uses various Access Control mechanisms to grant or deny use.\ Every chapter presents a thorough definition of the topic, a discussion of the issues and concerns relating to this topic, and then describes the various protocols and techniques that exist to address each concern. Consider the following discussion of Authentication:\ "The difference between various two-party authentication schemes lies in how the authentication information, the authentication function, and the expected results are created, stored, and transmitted between the two authenticating parties."\ The authors proceed to present discussion of passwords, challenge-and-response, token cards, and smartcards as basic technologies. They follow the technology discussions with the details about PAP, CHAP, EAP, RADIUS and other protocols that implement the features of the basic technologies.\ "Part III: VPN Solutions" was both a surprise and a disappointment. Given the word "solutions" in the section title, I expected to find system administrator level command-line configuration details used to deploy a VPN on some reference platform. Failing to find pages of cryptic parameter settings, I was at first disappointed. However, as I read on, I realized that the treatment used by Yuan and Strayer fell into the "teach a man to fish" category. For example, while reading about Site-to-Site VPN deployment, I found a bulleted list naming the requirement for a type of tunneling mechanism. The discussion that followed presented IPsec, and L2TP as candidates for this mechanism. The discussion of IPsec revealed that I needed to use an encryption algorithm (3DES, for example), a message integrity algorithm (such as SHA-1), and a type of authentication (shared secret, certificate authority, and the like). At the conclusion, I was left with a thorough understanding of the deployment of a VPN.\ Lest you think I fell besotted by the material, there are some things that, while primarily editorial, might result in a better book were they corrected in a second printing or follow-up edition. As you might expect in a networking volume, there are plenty of graphs and diagrams. Things might be better were these diagrams located in better locations, typically before the prose that discusses them. Once, a Windows protocol layer diagram appears bracketed by UNIX specific prose -- completely outside of the nearby Microsoft Windows section title.\ Another annoyance involved the huge number of references to Internet Request For Comments (RFC) documents -- only to find additional details tucked away in an appendix. It might have been better to warn readers and arm them with access to supporting materials, either in the Preface or preferably as a footnote to the first RFC reference.\ Lastly, I expected to find a detailed case study that either ran throughout the material or as a chapter unto itself toward the end of the book. This case study might have used one of the Linux distributions to provide you a platform for self-directed study. Any of the Linux kits currently available contains most of the recommended parts and the rest are readily available online. A Windows-based implementation might be problematic due to the licensing and fee-for-software nature of that environment. The book contains a case study, but it is far too lightweight for a serious student. In defense of this omission, I suspect that any attempt to present a cookbook deployment might result in a sofa-sized volume or might offer such superficial treatment as to be practically useless. There were only a few instances when the authors resorted to lines of code-level discussions. These were brief, on topic, and might be skipped without any loss.\ When the time came, the book equipped me with good understanding of what to do during VPN deployment without the droll reprinting of configuration files, command lines, or screens from some user interface. Add this book to your networking library. You won't regret it.\ — ercb.com\ \ \ \ \ \ BooknewsThis guide presents the various technology components, concrete solutions, and best practices you need to deploy and manage a highly successful virtual private network (VPN). Yuan (researcher focusing on high-speed networking and security) and Strayer (scientist and VPN researcher) present 12 chapters that overview fundamental VPN concepts and architectures and examine advanced features and functions such as tunneling, authentication, access control, and VPN gateways, clients, and network and service management. They conclude with a look at the future of VPNs that examines such issues as security and quality of service. VPN scenarios demonstrate how to put the described techniques and technologies to work in a real-world situation. Annotation c. Book News, Inc., Portland, OR (booknews.com)\ \